During the past few decades, the Internet has provided a convenient way to obtain a wealth of information on almost any subject. Many paid and free information services may be offered over the Internet, including electronic mail, home shopping, gaming, paperless billing services, and the like. Users merely need to obtain a web page address or uniform resource locator (URL) for the service they desire.
In this regard, commercial revenue for Internet-based operations has steadily increased, even for those companies that offer their Internet services for free. The companies that offer free services may obtain revenue from related non-Internet services offered to their customers or through advertising on their web site. For example, many banks offer free on-line banking services to their account holders. Further, the most popular Internet search engine providers charge for advertising on their search engine web sites, which are accessed by millions of Internet users every day.
However, as the customer base for on-line services has grown dramatically over the years, so have the opportunities for those who wish to engage in malicious activity targeting Internet web sites. What originated as several individuals, or hackers, breaking into systems for unauthorized viewing of information or sending individual virus attacks against selected systems just for the thrill of doing so, has evolved into extortion-based, multi-front, attacks on many systems or whole sub-networks within the Internet.
For example, many offshore extortionists have developed ways to extract significant revenue from companies located in multiple jurisdictions. These extortionists avoid prosecution by law enforcement by launching their malicious attacks from countries in which they may avoid prosecution, either legally or practically. Further, the extortionists may obfuscate their identities by launching attacks from different computers at different locations.
Typically, an extortionist pre-warns a web site owner before an attack, demanding that a sum of money is wired to an anonymous, foreign account. For example, in the case of a gaming web site, the extortionist may wait until just before a significant event, such as an on-line poker tournament, or in the case of gambling, a major horse race, such as the Kentucky Derby. An electronic mail message may be sent to the site owner with the warning and appropriate bank account information. If the site owner does not pay the amount requested by the extortionist, then the extortionist may cause an attack to occur at the peak time for usage of the web site during the event. Still an attack may essentially shut down operations for the site. Acknowledging that the threat is real, the site owner will likely pay a potentially significant sum of money, rather than risk the loss of a significant profit obtained during the special event or peak time of the year.
The methods available to the extortionist are many. For example, one type of malicious attack that may target a system is called a distributed denial of service (DDoS) attack. This type of attack is universally acknowledged as being one of the most troublesome types of attacks of our time. A DDoS attack includes “flooding” a host computer or network with information. The flood of information can consume all available bandwidth of the host computer's or network's computing resources, thereby preventing legitimate network traffic from reaching the host network and further preventing an individual user from accessing the services of the host network. More particularly, the attacker can consume bandwidth through a network flood either by generating a large number of data packets, which contain data exchanged over the Internet, or by generating a small number of extremely large packets, directed to the target computer or network. Typically, those packets comprise Internet Control Message Protocol (ICMP) packets, User Datagram Protocol (UDP) stream attack packets, TCP SYN flood packets, or packets used in TCP based attacks such as GET flood attacks that typically occur after handshaking is completed and a session is started. In principle, however, the packets can include any form.
The attacker can execute the flood attack from a single computer. This comprises a non-distributed or conventional denial of service (DoS) attack. Alternatively, during a DDoS attack, the attacker coordinates or co-opts several computers on different networks to achieve the same effect. The attacker also can falsify (spoof) the source IP address of the packets, thereby making it difficult to trace the identity of the computers used to carry out the attack. Spoofing the source IP address also can shift attention onto innocent third parties.
An attacker also may execute a more defined attack using spoofed packets called a “broadcast amplification” or a “smurf attack.” In this common attack, the attacker generates packets with a spoofed source address of the target. The attacker then sends a series of network requests using the spoofed packets to an organization having many computers. The packets contain an address that broadcasts the packets to every computer within the organization. Every computer within the organization then responds to the spoofed packet requests and sends data on to the target site. Accordingly, the target computer or network becomes flooded with the responses from the organization. Unfortunately, the target site then may blame the organization for the attack.
Further, recent attacks have been launched against domain name service (DNS) servers. DNS servers are essential to the operation of the Internet, as they provide the key function of converting alphanumeric domain names, such as XYZ.com, into the number based Internet protocol (IP) addresses on which each Internet connection is ultimately based. Attackers have discovered a new way to bring down whole segments of the Internet by attacking the DNS servers themselves, instead of the computers that the IP addresses identify.
To date, systems for detecting and mitigating DoS or DDoS attacks have been few. Some prior systems or solutions have individually used or proposed different tools or software, sometimes in the form of so-called firewalls, in an attempt to combat such attacks. These tools or software may include: systems that detect half-open connections that are typically caused by many attacks; systems that compare headers of packets to specific, known flood attack headers; or systems that monitor data packet flow that is above average or that exceed various thresholds.
However, while these prior systems have experienced some success, such success has been limited. For example, typical systems attempt to prevent attacks from one or more computers, each of which having one source, and each targeted toward a single computer. These prior systems typically require identification of the source computers involved in the attacks, as well as the target, to compare duplicate source and target values to threshold values at the network or lower layers of the open system interconnect (OSI) model. If the attack detection tools are successfully spoofed at lower levels of the OSI model, this leaves higher levels of the OSI model, such as the application layer, vulnerable to subsequent attacks. This is true, because the prior systems assume that the data passing through a connection is safe after it has passed through the tools at the lower layers.
Thus, none of the prior systems provide for reliable universal protection of many computer systems or nodes through one access point, regardless of the source and target of an attack. Further, none of the prior systems provide for reliable universal protection of several computer systems or nodes at the same time, or after a connection has been deemed as safe using typical tools at lower levels of the OSI model.
Finally, none of the prior systems provide for reliable protection of DNS servers to prevent whole networks from becoming non-operational. Accordingly, there is a need in the art for a system and method that solves the problems associated with such prior systems.